TWI545923B - Network device, ipsec system and method for establishing ipsec tunnel using the same - Google Patents

Network device, ipsec system and method for establishing ipsec tunnel using the same Download PDF

Info

Publication number
TWI545923B
TWI545923B TW102145927A TW102145927A TWI545923B TW I545923 B TWI545923 B TW I545923B TW 102145927 A TW102145927 A TW 102145927A TW 102145927 A TW102145927 A TW 102145927A TW I545923 B TWI545923 B TW I545923B
Authority
TW
Taiwan
Prior art keywords
ipsec
network
address
network device
slave
Prior art date
Application number
TW102145927A
Other languages
Chinese (zh)
Other versions
TW201445958A (en
Inventor
連家豪
Original Assignee
中磊電子股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中磊電子股份有限公司 filed Critical 中磊電子股份有限公司
Priority to US14/224,096 priority Critical patent/US9602470B2/en
Publication of TW201445958A publication Critical patent/TW201445958A/en
Application granted granted Critical
Publication of TWI545923B publication Critical patent/TWI545923B/en

Links

Description

網路裝置、使用其之網際網路協定安全性系統及建立網際網 路協定安全性通道之方法 Network devices, use their Internet Protocol security systems, and establish an Internet Method of road agreement security channel

本發明是有關於一種網路裝置,且特別是有關於一種網際網路協定安全性之網路裝置、使用其之網際網路協定安全性系統及建立網際網路協定安全性通道之方法。 The present invention relates to a network device, and more particularly to a network device security network device, an internet protocol security system using the same, and a method for establishing an internet protocol security channel.

隨著網路發展以及行動通訊普及,對於網路中資料傳輸的安全性要求也與日俱增。因此,採用網際網路協定安全性(Internet Protocol security,IPsec)傳輸方式傳送資料漸趨重要。而如何在IPsec傳輸方式中有效降低硬體成本,並且方便於一般使用者使用,乃目前業界所致力的課題之一。 With the development of the Internet and the popularity of mobile communications, the security requirements for data transmission in the network are also increasing. Therefore, it is increasingly important to transmit data using Internet Protocol security (IPsec) transmission. How to effectively reduce the hardware cost in the IPsec transmission mode and to facilitate the use of the general user is one of the current topics in the industry.

本發明係有關於一種網路裝置、使用其之網際網路 協定安全性系統及建立網際網路協定安全性通道之方法。 The invention relates to a network device and an internetwork using the same A protocol security system and a method of establishing an internet protocol security channel.

根據本發明之第一方面,提出一種網路裝置,其用以連接多個從屬網路裝置。各從屬網路裝置使用網際網路協定(Internet Protocol,IP)位址與網路裝置溝通,網路裝置包括網際網路協定安全性(Internet Protocol Security,IPsec)模組及網路位址轉換(Network Address Translation,NAT)模組。IPsec模組用以於網際網路中建立一IPsec通道至一網路閘道,並取得對應至此IPsec通道之一IPsec IP位址。NAT模組用以轉換這些從屬網路裝置的IP位址為此IPsec IP位址,使得當這些從屬網路裝置透過IPsec模組建立IPsec通道連接至網路閘道時,這些從屬網路裝置以此IPsec IP位址連接至網路閘道。 According to a first aspect of the present invention, a network device is provided for connecting a plurality of slave network devices. Each slave network device communicates with the network device using an Internet Protocol (IP) address, and the network device includes Internet Protocol Security (IPsec) module and network address translation ( Network Address Translation, NAT) module. The IPsec module is used to establish an IPsec channel to a network gateway in the Internet and obtain an IPsec IP address corresponding to one of the IPsec channels. The NAT module is used to convert the IP addresses of the slave network devices to the IPsec IP address, so that when the slave network devices establish an IPsec channel to connect to the network gateway through the IPsec module, the slave network devices This IPsec IP address is connected to the network gateway.

根據本發明之另一方面,提出一種網際網路協定安全性系統,其包括一網路閘道以及一網路裝置。網路閘道用以連接至一內部網路(intranet),內部網路係透過網路閘道連接至網際網路。網路裝置用以連接多個從屬網路裝置,各從屬網路裝置係使用一IP位址與該網路裝置溝通,網路裝置包括一IPsec模組以及一NAT模組。IPsec模組用以於網際網路中建立一IPsec通道至網路閘道,並取得對應至IPsec通道之一IPsec IP位址。NAT模組用以轉換這些從屬網路裝置的IP位址為此IPsec IP位址,使得當這些從屬網路裝置透過IPsec模組建立IPsec通道連接至網路閘道時,這些從屬網路裝置以此IPsec IP位址連接至網路閘道。 In accordance with another aspect of the present invention, an Internet Protocol Security System is provided that includes a network gateway and a network device. The network gateway is used to connect to an intranet, and the internal network is connected to the Internet through a network gateway. The network device is configured to connect to multiple slave network devices, and each slave network device communicates with the network device by using an IP address, and the network device includes an IPsec module and a NAT module. The IPsec module is used to establish an IPsec channel to the network gateway in the Internet and obtain an IPsec IP address corresponding to one of the IPsec channels. The NAT module is used to convert the IP addresses of the slave network devices to the IPsec IP address, so that when the slave network devices establish an IPsec channel to connect to the network gateway through the IPsec module, the slave network devices This IPsec IP address is connected to the network gateway.

根據本發明之另一方面,提出一種建立網際網路協 定安全性通道之方法,方法包括:從一網路裝置建立一IPsec通道至一網路閘道,並取得對應IPsec通道之一IPsec IP位址,網路裝置用以連接多個從屬網路裝置,各從屬網路裝置係使用一IP位址與網路裝置溝通;以及轉換這些從屬網路裝置的IP位址為此IPsec IP位址,使得當這些從屬網路裝置透過網路裝置建立IPsec通道連接至網路閘道時,這些從屬網路裝置以此IPsec IP位址連接至網路閘道。 According to another aspect of the present invention, an Internet Protocol Association is proposed The method for determining a security channel includes: establishing an IPsec channel from a network device to a network gateway, and obtaining an IPsec IP address corresponding to one of the IPsec channels, wherein the network device is configured to connect the plurality of slave network devices Each slave network device communicates with the network device using an IP address; and converts the IP addresses of the slave network devices to the IPsec IP address, such that when the slave network devices establish an IPsec channel through the network device When connected to a network gateway, these slave network devices connect to the network gateway with this IPsec IP address.

為了對本發明之上述及其他方面有更佳的瞭解,下文特舉較佳實施例,並配合所附圖式,作詳細說明如下: In order to better understand the above and other aspects of the present invention, the preferred embodiments are described below, and in conjunction with the drawings, the detailed description is as follows:

10‧‧‧網路裝置 10‧‧‧Network devices

12‧‧‧網路閘道 12‧‧‧Internet gateway

14‧‧‧網際網路 14‧‧‧Internet

16‧‧‧IPsec通道 16‧‧‧IPsec channel

18‧‧‧內部網路 18‧‧‧Internal network

102‧‧‧IPsec模組 102‧‧‧IPsec module

104‧‧‧NAT模組 104‧‧‧NAT module

106、122‧‧‧加密單元 106, 122‧‧‧Encryption unit

108、124‧‧‧解密單元 108, 124‧‧‧Decryption unit

112~114‧‧‧從屬網路裝置 112~114‧‧‧Subordinate network devices

180‧‧‧遠端主機 180‧‧‧Remote host

202、204、206、208、212、214、216、218‧‧‧封包 202, 204, 206, 208, 212, 214, 216, 218‧‧‧ packets

第1圖繪示依照本發明實施例之網路裝置與其所應用之網際網路協定安全性系統之示意圖。 FIG. 1 is a schematic diagram of a network device security system and a network protocol security system to which it is applied according to an embodiment of the invention.

第2圖繪示網路裝置傳送封包至網際網路之示意圖。 Figure 2 is a schematic diagram showing the network device transmitting a packet to the Internet.

第3圖繪示網路閘道從網際網路接收封包之示意圖。 Figure 3 is a schematic diagram showing the network gateway receiving packets from the Internet.

第4圖繪示網路閘道傳送封包至網際網路之示意圖。 Figure 4 shows a schematic diagram of a network gateway transmitting a packet to the Internet.

第5圖繪示網路裝置從網際網路接收封包之示意圖。 Figure 5 is a schematic diagram showing the network device receiving a packet from the Internet.

第1圖繪示依照本發明實施例之網路裝置與其所應用之網際網路協定安全性系統之示意圖。網路裝置10連接多個從屬網路裝置112~114,各從屬網路裝置112~114使用網際網路 協定(Internet Protocol,IP)位址與網路裝置10溝通。網路裝置10包括網際網路協定安全性(Internet Protocol Security,IPsec)模組102以及網路位址轉換(Network Address Translation,NAT)模組104。IPsec模組102用以於網際網路14中建立一IPsec通道16至一網路閘道12,並取得對應至IPsec通道16之一IPsec IP位址。NAT模組104用以轉換從屬網路裝置112~114的IP位址為此IPsec IP位址,使得從屬網路裝置112~114以此IPsec IP位址透過IPsec通道16連接至網路閘道12。 FIG. 1 is a schematic diagram of a network device security system and a network protocol security system to which it is applied according to an embodiment of the invention. The network device 10 is connected to a plurality of slave network devices 112-114, and each of the slave network devices 112-114 uses the Internet. The Internet Protocol (IP) address communicates with the network device 10. The network device 10 includes an Internet Protocol Security (IPsec) module 102 and a Network Address Translation (NAT) module 104. The IPsec module 102 is configured to establish an IPsec tunnel 16 to a network gateway 12 in the Internet 14, and obtain an IPsec IP address corresponding to one of the IPsec tunnels 16. The NAT module 104 is configured to convert the IP addresses of the slave network devices 112-114 to this IPsec IP address, such that the slave network devices 112-114 are connected to the network gateway 12 via the IPsec channel 16 with the IPsec IP address. .

本文所述「連接」可為直接或間接連接,亦可為有線連接或無線連接。例如網路裝置10與從屬網路裝置112~114之間,可以透過電纜線連接,亦可以透過無線網路的方式連接,並不加以限制。而第1圖中繪示3個從屬網路裝置僅為例示性說明,實際可使用的從屬網路裝置可以多於3個或小於3個,並不加以限制。 The "connection" described herein may be a direct or indirect connection, or a wired connection or a wireless connection. For example, the network device 10 and the slave network devices 112-114 can be connected through a cable or through a wireless network, and are not limited. The three slave network devices are shown in FIG. 1 as an illustrative example. The number of slave network devices that can be actually used may be more than three or less than three, and is not limited.

網路裝置10例如為蜂巢式基地台(cellular base station)、路由器(router)或無線網路存取點(wireless AP)。從屬網路裝置112~114例如為蜂巢式基地台、路由器、無線網路存取點、電腦主機或行動裝置。各個從屬網路裝置112~114可以不相同或相同。舉例而言,在一般使用者家用環境中,網路裝置10可以是一台毫微微蜂巢式基地台(femtocell)之類的小型蜂巢式基地台(small cell),而網路裝置10所連接的從屬網路裝置112可以是路由器、從屬網路裝置113可以是無線網路存取點、從屬網路裝置 114可以是使用者的行動電話。 The network device 10 is, for example, a cellular base station, a router, or a wireless network access point (wireless AP). The slave network devices 112-114 are, for example, cellular base stations, routers, wireless network access points, computer hosts, or mobile devices. Each of the slave network devices 112-114 may be different or the same. For example, in a general user home environment, the network device 10 may be a small honeycomb cell such as a femtocell, and the network device 10 is connected. The slave network device 112 can be a router, and the slave network device 113 can be a wireless network access point, a slave network device 114 can be the user's mobile phone.

從屬網路裝置112~114與網路裝置10可構成一個區域網路的一部分,各個從屬網路裝置112~114具有不同的私有(private)IP位址,例如為使用192.168.0.0~192.168.255.255區段的IP位址,而網路裝置10亦具有一個私有IP位址。於第1圖中,從屬網路裝置112~114的私有IP位址例如分別是192.168.1.2~192.168.1.4,而網路裝置10的私有IP位址例如是192.168.1.1。在此區域網路中,從屬網路裝置112~114與網路裝置10以私有IP位址彼此溝通。而從屬網路裝置112~114係經由網路裝置10以連接至網際網路14,網路裝置10於網際網路14中具有一個公有IP位址,即真實(Global)IP位址。網路裝置10的真實IP位址例如是200.0.0.3。 The slave network devices 112-114 and the network device 10 may form part of a regional network, and each of the slave network devices 112-114 has a different private IP address, for example, 192.168.0.0~192.168.255.255 The IP address of the segment, and the network device 10 also has a private IP address. In FIG. 1, the private IP addresses of the slave network devices 112-114 are, for example, 192.168.1.2 to 192.168.1.4, respectively, and the private IP address of the network device 10 is, for example, 192.168.1.1. In this local area network, the slave network devices 112-114 and the network device 10 communicate with each other with a private IP address. The slave network devices 112-114 are connected to the Internet 14 via the network device 10, and the network device 10 has a public IP address in the Internet 14, that is, a real IP address. The real IP address of the network device 10 is, for example, 200.0.0.3.

網路閘道12連接至一內部網路18,內部網路18係透過網路閘道12連接至網際網路14。內部網路18可以是企業內的區域網路,也可以是電信業者的核心網路(core network)。例如在4G長期演進技術(Long Term Evolution,LTE)無線通訊系統中,內部網路18可以是演進數據封包核心網(Evolved Packet Core,EPC),網路閘道12控制從外部之網際網路14欲連進內部網路18的封包傳輸。網路閘道12例如為安全閘道(security gateway)。 The network gateway 12 is connected to an internal network 18 which is connected to the Internet 14 via a network gateway 12. The internal network 18 can be a regional network within an enterprise or a core network of a carrier. For example, in a 4G Long Term Evolution (LTE) wireless communication system, the internal network 18 may be an Evolved Packet Core (EPC), and the network gateway 12 controls the external Internet 14 The packet transmission to be connected to the internal network 18. The network gateway 12 is, for example, a security gateway.

當從屬網路裝置112欲建立安全性連線至內部網路18當中的遠端主機180時,係使用IPsec協定中的IPsec通道模式(tunnel mode)以建立安全性連線。從屬網路裝置112需經過網 路裝置10以連接至網際網路14,從網際網路14連接至內部網路18必須經過網路閘道12。網路裝置10當中的IPsec模組102使用IPsec通道模式建立IPsec通道16至網路閘道12,而網路裝置10當中的NAT模組104轉換從屬網路裝置112的IP位址。其詳細運作方式說明如下。 When the slave network device 112 wants to establish a secure connection to the remote host 180 in the internal network 18, the IPsec tunnel mode in the IPsec protocol is used to establish a secure connection. The slave network device 112 needs to pass through the network. The way device 10 is connected to the Internet 14, and the connection from the Internet 14 to the internal network 18 must pass through the network gateway 12. The IPsec module 102 in the network device 10 establishes the IPsec channel 16 to the network gateway 12 using the IPsec tunnel mode, while the NAT module 104 in the network device 10 converts the IP address of the slave network device 112. The detailed operation of the system is described below.

請同時參考第2圖,第2圖繪示網路裝置傳送封包至網際網路之示意圖。當從屬網路裝置112以IPsec協定欲傳送資料至遠端主機180時,從屬網路裝置112傳送一封包202至網路裝置10,封包202內記載目標IPsec IP位址欄位DI,以及來源私有IP位址欄位SP。其中,IPsec IP位址所使用的範圍,是IP規範中保留給私有IP位址的範圍,於此例示實施例中,IPsec IP位址例如係使用10.0.0.0~10.255.255.255區段的IP位址。欲連線的目標遠端主機180其IPsec IP位址例如為10.0.0.2,發出請求的從屬網路裝置112其私有IP位址例如為192.168.1.2,因此封包202內目標IPsec IP位址欄位DI記載10.0.0.2,來源私有IP位址欄位SP記載192.168.1.2,從屬網路裝置112將封包202傳送至網路裝置10。 Please also refer to FIG. 2, which shows a schematic diagram of the network device transmitting the packet to the Internet. When the slave network device 112 wants to transmit data to the remote host 180 under the IPsec protocol, the slave network device 112 transmits a packet 202 to the network device 10, the packet 202 records the target IPsec IP address field DI, and the source private. IP address field SP. The range used by the IPsec IP address is the range reserved for the private IP address in the IP specification. In this exemplary embodiment, the IPsec IP address uses, for example, the IP bit of the 10.0.0.0~10.255.255.255 segment. site. The destination remote host 180 to be connected has its IPsec IP address, for example, 10.0.0.2, and the requesting slave network device 112 has a private IP address of, for example, 192.168.1.2, so the target IPsec IP address field in the packet 202. DI records 10.0.0.2, the source private IP address field SP records 192.168.1.2, and the slave network device 112 transmits the packet 202 to the network device 10.

網路裝置10接收到封包202後,NAT模組104會將從屬網路裝置112的私有IP位址轉換成網路裝置10所使用的IPsec IP位址,關於網路裝置10的IPsec IP位址之取得方式說明如下。 After the network device 10 receives the packet 202, the NAT module 104 converts the private IP address of the slave network device 112 into an IPsec IP address used by the network device 10, with respect to the IPsec IP address of the network device 10. The manner of obtaining is described below.

當網路裝置10當中的IPsec模組102經由網際網路 14向網路閘道12發出建立IPsec通道16的請求時,網路閘道12發出一個憑證(certificate)進行身份驗證,驗證成功之後分派一個IPsec IP位址給網路裝置10。如此IPsec模組102於網際網路14中建立IPsec通道16至網路閘道12,並取得對應至IPsec通道16的IPsec IP位址。於此例示實施例中,IPsec模組102所取得的IPsec IP位址例如為10.0.0.3。 When the IPsec module 102 in the network device 10 is connected to the Internet When a request to establish an IPsec tunnel 16 is made to the network gateway 12, the network gateway 12 issues a certificate for authentication, and after the verification succeeds, an IPsec IP address is assigned to the network device 10. Thus, the IPsec module 102 establishes an IPsec tunnel 16 to the network gateway 12 in the Internet 14, and obtains an IPsec IP address corresponding to the IPsec tunnel 16. In this exemplary embodiment, the IPsec IP address obtained by the IPsec module 102 is, for example, 10.0.0.3.

NAT模組104對封包202內的欄位SP,即從屬網路裝置112的私有IP位址192.168.1.2進行轉換,轉換成網路裝置10的IPsec IP位址10.0.0.3,記載於封包204當中的來源IPsec IP位址欄位SI,NAT模組104將封包204傳送至IPsec模組102。 The NAT module 104 converts the field SP in the packet 202, that is, the private IP address 192.168.1.2 of the slave network device 112, and converts it into the IPsec IP address of the network device 10, 10.0.0.3, which is recorded in the packet 204. The source IPsec IP address field SI, the NAT module 104 transmits the packet 204 to the IPsec module 102.

NAT模組104轉換從屬網路裝置112~114的私有IP位址為網路裝置10的IPsec IP位址,並將從屬網路裝置112~114的私有IP位址與網路裝置10的埠(port)之間的對應關係記錄於一NAT查找表(lookup table)中,其一例子係如以下表一所示。 The NAT module 104 converts the private IP address of the slave network devices 112-114 to the IPsec IP address of the network device 10 and the private IP address of the slave network devices 112-114 to the network device 10 ( The correspondence between ports is recorded in a NAT lookup table, an example of which is shown in Table 1 below.

NAT模組104將來自從屬網路裝置112(私有IP位址:192.168.1.2)、從屬網路裝置113(私有IP位址:192.168.1.3) 以及從屬網路裝置114(私有IP位址:192.168.1.4)皆轉換成相同的IPsec IP位址10.0.0.3,亦即,不同的從屬網路裝置112~114係使用相同的IPsec IP位址,通過相同的IPsec通道16連接至網路閘道12。另一方面,不同的從屬網路裝置112~114的埠會對應到網路裝置10不同的埠,如此一來,當網路裝置10經由網際網路14從網路閘道12接收到封包時,可以由埠的資訊得知封包要轉送(forward)給哪一個從屬網路裝置。 The NAT module 104 will come from the slave network device 112 (private IP address: 192.168.1.2), the slave network device 113 (private IP address: 192.168.1.3) And the slave network device 114 (private IP address: 192.168.1.4) is converted to the same IPsec IP address 10.0.0.3, that is, different slave network devices 112-114 use the same IPsec IP address. It is connected to the network gateway 12 through the same IPsec channel 16. On the other hand, the different slave network devices 112-114 will correspond to different network devices 10, such that when the network device 10 receives packets from the network gateway 12 via the Internet 14, It is possible to know from the embarrassing information which subordinate network device the packet is to be forwarded to.

IPsec模組102接收到封包204後,可對整個封包204進行加密的動作。IPsec模組102包括加密(encryption)單元106以及解密單元(decryption)108。當網路裝置10將從屬網路裝置112產生的封包傳送至網際網路14時,加密單元106可對封包204進行加密運算,並對封包204加上資料封裝加密(Encapsulating Security Payload,ESP)表頭,如第2圖中封包206所示,斜線部份為加密過的欄位,包含ESP表頭欄位ESP、目標IPsec IP位址欄位DI、來源IPsec IP位址欄位SI以及資料(Data)欄位DATA。接著IPsec模組102再於最外層加上來源主機的真實IP位址欄位SG以及目標主機的真實IP位址欄位DG。於此實施例中,網路裝置10的真實IP位址為200.0.0.3,網路閘道12的真實IP位址為200.0.0.2。封包206即為在網際網路14上所傳輸的封包,其中斜線部份為加密過的欄位,因此即使網際網路14中傳輸的封包206遭竊聽(eavesdrop),竊聽者僅能得知欄位DG以及SG的資訊,並無法得知加密部份欄位的內容,而能達到安 全連線的功用。 After receiving the packet 204, the IPsec module 102 can encrypt the entire packet 204. The IPsec module 102 includes an encryption unit 106 and a decryption 108. When the network device 10 transmits the packet generated by the slave network device 112 to the Internet 14, the encryption unit 106 can perform an encryption operation on the packet 204 and add an Encapsulating Security Payload (ESP) table to the packet 204. Header, as shown in packet 206 in Figure 2, the slashed portion is the encrypted field, including the ESP header field ESP, the destination IPsec IP address field DI, the source IPsec IP address field SI, and the data ( Data) field DATA. The IPsec module 102 then adds the real IP address field SG of the source host to the outermost layer and the real IP address field DG of the target host. In this embodiment, the real IP address of the network device 10 is 200.0.0.3, and the real IP address of the network gateway 12 is 200.0.0.2. The packet 206 is the packet transmitted on the Internet 14, wherein the slash portion is an encrypted field, so even if the packet 206 transmitted in the Internet 14 is eavesdropped, the eavesdropper can only know the column. Bit DG and SG information, and can not know the contents of the encrypted part of the field, but can achieve security The function of full connection.

請接著參考第3圖,第3圖繪示網路閘道從網際網路接收封包之示意圖。網路閘道12包括加密單元122及解密單元124。網路閘道12從網際網路14接收到封包206後,解密單元124會對封包206內容進行解密,而得到封包208,其中記載有來源IPsec IP位址(欄位SI)以及目標IPsec IP位址(欄位DI)。根據欄位DI的內容10.0.0.2,網路閘道12可以知道將封包208傳送至內部網路18中的遠端主機180(其IPsec IP位址為10.0.0.2)。 Please refer to FIG. 3 next, and FIG. 3 is a schematic diagram showing the network gateway receiving packets from the Internet. The network gateway 12 includes an encryption unit 122 and a decryption unit 124. After the network gateway 12 receives the packet 206 from the Internet 14, the decryption unit 124 decrypts the contents of the packet 206 to obtain a packet 208 in which the source IPsec IP address (field SI) and the target IPsec IP bit are recorded. Address (field DI). Based on the content 10.0.0.2 of the field DI, the network gateway 12 can know to transmit the packet 208 to the remote host 180 in the internal network 18 (its IPsec IP address is 10.0.0.2).

第2圖、第3圖以及上述內容說明了從從屬網路裝置112傳送資料至遠端主機180的過程,以下配合第4圖及第5圖繪示內容,說明從遠端主機180傳送資料至從屬網路裝置112的過程。 2, 3, and the above illustrates the process of transmitting data from the slave network device 112 to the remote host 180. The following description of the contents of the fourth and fifth figures illustrates the transfer of data from the remote host 180 to The process of slave network device 112.

第4圖繪示網路閘道傳送封包至網際網路之示意圖。遠端主機180傳送出的封包212包含有目標IPsec IP位址欄位DI(記錄了目標IPsec IP位址10.0.0.3)及來源IPsec IP位址欄位SI(記錄了來源IPsec IP位址10.0.0.2),網路閘道12接收到封包212後,加密單元122對封包212進行加密運算,加上ESP表頭後,再於最外層加上來源主機真實IP位址欄位SG(記錄了來源主機真實IP位址200.0.0.2)以及目標主機真實IP位址欄位DG(記錄了目標主機真實IP位址200.0.0.3),以形成封包214,傳送至網際網路14。封包214中斜線部份的欄位表示經過加密處理。 Figure 4 shows a schematic diagram of a network gateway transmitting a packet to the Internet. The packet 212 transmitted by the remote host 180 includes the target IPsec IP address field DI (recording the target IPsec IP address 10.0.0.3) and the source IPsec IP address field SI (the source IPsec IP address is recorded 10.0. 0.2) After the network gateway 12 receives the packet 212, the encryption unit 122 encrypts the packet 212, adds the ESP header, and then adds the source host real IP address field SG to the outermost layer (the source is recorded) The host real IP address 200.0.0.2) and the target host real IP address field DG (recording the target host real IP address 200.0.0.3) to form a packet 214 for transmission to the Internet 14. The field of the slash portion of the packet 214 indicates that it has been encrypted.

第5圖繪示網路裝置從網際網路接收封包之示意圖。網路裝置10從網際網路14接收到封包214後,IPsec模組102當中的解密單元108會對封包214內容進行解密,而得到封包216,其具有來源IPsec IP位址欄位SI(記載了來源IPsec IP位址10.0.0.2)以及目標IPsec IP位址欄位DI(記載了目標IPsec IP位址10.0.0.3)。此時NAT模組104會查閱內部的NAT查找表(如表一所示),根據封包214或封包216所指定的埠(例如是port 90),經查閱得知此封包是要轉送給私有IP位址192.168.1.2。NAT模組104轉換欄位DI的IPsec IP位址10.0.0.3為從屬網路裝置112的私有IP位址192.168.1.2,NAT模組104並對應地產生封包218。封包218具有來源IPsec IP位址欄位SI(記載了來源IPsec IP位址10.0.0.2)以及目標私有IP位址欄位DP(記載了目標私有IP位址192.168.1.2)。NAT模組104將封包218傳送至從屬網路裝置112。如此即完成從遠端主機180傳送資料至從屬網路裝置112的過程。 Figure 5 is a schematic diagram showing the network device receiving a packet from the Internet. After the network device 10 receives the packet 214 from the Internet 14, the decryption unit 108 in the IPsec module 102 decrypts the content of the packet 214 to obtain a packet 216 having the source IPsec IP address field SI (documented Source IPsec IP address 10.0.0.2) and destination IPsec IP address field DI (recorded IPsec IP address 10.0.0.3). At this time, the NAT module 104 will consult the internal NAT lookup table (as shown in Table 1), and according to the packet 214 or the packet 216 specified by the packet (for example, port 90), it is found that the packet is to be forwarded to the private IP. The address is 192.168.1.2. The NAT module 104 translates the IPsec IP address 10.0.0.3 of the field DI to the private IP address 192.168.1.2 of the slave network device 112, and the NAT module 104 generates a packet 218 correspondingly. The packet 218 has a source IPsec IP address field SI (documenting the source IPsec IP address 10.0.0.2) and a target private IP address field DP (recording the target private IP address 192.168.1.2). The NAT module 104 transmits the packet 218 to the slave network device 112. This completes the process of transferring data from the remote host 180 to the slave network device 112.

前述實施例所載之網路裝置以及IPsec系統,將不同從屬網路裝置的IP位址,經由NAT模組轉換為相同的IPsec IP位址。因此,多個從屬網路裝置,例如無線網路存取點、路由器、蜂巢式基地台,可以共用一個IPsec通道,使用相同的IPsec IP位址連接至遠端的網路閘道。如此一來,即使有多個從屬網路裝置欲以IPsec方式傳送資料,亦僅需建立一個IPsec通道,可以有效降低負責IPsec功能的網路裝置所需要的儲存容量及計算能 力。並且網路閘道僅需發出一次憑證,可以有效降低網路閘道所需發出的憑證數目。相較於傳統作法,具有降低成本的優點。 The network device and the IPsec system described in the foregoing embodiments convert the IP addresses of different slave network devices to the same IPsec IP address via the NAT module. Therefore, multiple slave network devices, such as wireless network access points, routers, and cellular base stations, can share an IPsec channel and connect to the remote network gateway using the same IPsec IP address. In this way, even if multiple slave network devices want to transmit data in IPsec mode, only one IPsec channel needs to be established, which can effectively reduce the storage capacity and computing power required by the network device responsible for IPsec. force. And the network gateway only needs to issue a certificate once, which can effectively reduce the number of documents required for the network gateway. Compared with the conventional method, it has the advantage of reducing the cost.

此外,於前述實施例所載之架構中,僅網路裝置需要具備有處理IPsec傳輸方式的相關功能,包括IPsec傳輸過程中所需的認證以及加密/解密運算能力,從屬網路裝置皆可不需具備與IPsec功能相關的運算能力,特別是加密/解密運算需要較複雜的電路並耗費較多功率。因此,不僅從屬網路裝置的成本得以降低,更由於此原因,使得一般使用者在使用上具備良好的可擴充性。舉例而言,一台不具備IPsec功能的路由器,或是一般的智慧型手機,只要進入與網路裝置及原先從屬網路裝置相同的區域網路中,即可以藉由網路裝置而能夠以IPsec方式傳送資料,在使用者端容易擴充以新增從屬網路裝置。 In addition, in the architecture described in the foregoing embodiment, only the network device needs to have related functions for processing the IPsec transmission mode, including the authentication and encryption/decryption computing capabilities required in the IPsec transmission process, and the slave network device may not need to It has the computing power associated with the IPsec function, especially the encryption/decryption operation requires more complicated circuits and consumes more power. Therefore, not only the cost of the slave network device is reduced, but also for this reason, the general user has good scalability in use. For example, a router that does not have an IPsec function, or a general smart phone, can enter the same local area network as the network device and the original slave network device, that is, the network device can The IPsec method transmits data and is easily expanded on the user side to add a slave network device.

綜上所述,雖然本發明已以較佳實施例揭露如上,然其並非用以限定本發明。本發明所屬技術領域中具有通常知識者,在不脫離本發明之精神和範圍內,當可作各種之更動與潤飾。因此,本發明之保護範圍當視後附之申請專利範圍所界定者為準。 In conclusion, the present invention has been disclosed in the above preferred embodiments, and is not intended to limit the present invention. A person skilled in the art can make various changes and modifications without departing from the spirit and scope of the invention. Therefore, the scope of the invention is defined by the scope of the appended claims.

10‧‧‧網路裝置 10‧‧‧Network devices

12‧‧‧網路閘道 12‧‧‧Internet gateway

14‧‧‧網際網路 14‧‧‧Internet

16‧‧‧IPsec通道 16‧‧‧IPsec channel

18‧‧‧內部網路 18‧‧‧Internal network

102‧‧‧IPsec模組 102‧‧‧IPsec module

104‧‧‧NAT模組 104‧‧‧NAT module

112~114‧‧‧從屬網路裝置 112~114‧‧‧Subordinate network devices

180‧‧‧遠端主機 180‧‧‧Remote host

Claims (17)

一種網路裝置,用以連接至複數個從屬網路裝置,各該些從屬網路裝置係使用不同的一網際網路協定(Internet Protocol,IP)位址與該網路裝置溝通,該網路裝置包括:一網際網路協定安全性(Internet Protocol Security,IPsec)模組,用以於網際網路中建立一IPsec通道至一網路閘道,並取得對應至該IPsec通道之一IPsec IP位址;以及一網路位址轉換(Network Address Translation,NAT)模組,用以轉換該些從屬網路裝置不同的該些IP位址為相同的該IPsec IP位址,使得該些從屬網路裝置共用該IPsec通道並且使用相同的該IPsec IP位址透過該IPsec通道連接至該網路閘道。 A network device for connecting to a plurality of slave network devices, each of the slave network devices communicating with the network device using a different Internet Protocol (IP) address, the network The device includes: an Internet Protocol Security (IPsec) module for establishing an IPsec channel to a network gateway in the Internet, and obtaining an IPsec IP bit corresponding to one of the IPsec channels. And a network address translation (NAT) module for converting the different IP addresses of the slave network devices to the same IPsec IP address, so that the slave networks The device shares the IPsec channel and connects to the network gateway through the IPsec channel using the same IPsec IP address. 如申請專利範圍第1項所述之網路裝置,其中該網路裝置係蜂巢式基地台、路由器或無線網路存取點,各該些從屬網路裝置係蜂巢式基地台、路由器、無線網路存取點、電腦主機或行動裝置,該網路閘道係安全閘道。 The network device of claim 1, wherein the network device is a cellular base station, a router, or a wireless network access point, and each of the slave network devices is a cellular base station, a router, and a wireless device. A network access point, computer host or mobile device that is a security gateway. 如申請專利範圍第1項所述之網路裝置,其中該IPsec模組包括一加密單元及一解密單元,該加密單元用以加密透過該IPsec模組傳送至該網路閘道的一封包,該解密單元用以解密自該網路閘道接收的一加密後封包。 The network device of claim 1, wherein the IPsec module includes an encryption unit and a decryption unit, and the encryption unit is configured to encrypt a packet transmitted to the network gateway through the IPsec module. The decryption unit is configured to decrypt an encrypted packet received from the network gateway. 如申請專利範圍第1項所述之網路裝置,其中該些從屬網路裝置以不同的私有IP位址與該網路裝置溝通,該NAT模組轉換該些從屬網路裝置不同的私有IP位址為相同的該IPsec IP位址,該NAT模組並將該些從屬網路裝置不同的私有IP位址與該網路裝置的埠之間的對應關係記錄於一NAT查找表中。 The network device of claim 1, wherein the slave network devices communicate with the network device with different private IP addresses, and the NAT module converts different private IPs of the slave network devices. The address is the same IPsec IP address, and the NAT module records the correspondence between the different private IP addresses of the slave network devices and the network device's UI in a NAT lookup table. 如申請專利範圍第1項所述之網路裝置,其中該些從屬網路裝置以不同的私有IP位址與該網路裝置溝通,該NAT模組轉換相同的該IPsec IP位址為該些從屬網路裝置不同的私有IP位址,該NAT模組並將該些從屬網路裝置不同的私有IP位址與該網路裝置的埠之間的對應關係記錄於一NAT查找表中。 The network device of claim 1, wherein the slave network devices communicate with the network device with different private IP addresses, and the NAT module converts the same IPsec IP address to the The slave network device records different private IP addresses, and the NAT module records the correspondence between the different private IP addresses of the slave network devices and the network device's UI in a NAT lookup table. 如申請專利範圍第1項所述之網路裝置,其中該IPsec模組係使用IPsec通道模式來於網際網路中建立該IPsec通道至該網路閘道。 The network device of claim 1, wherein the IPsec module uses an IPsec channel mode to establish the IPsec channel to the network gateway in the Internet. 一種網際網路協定安全性系統,包括:一網路閘道,用以連接至一內部網路,該內部網路係透過該網路閘道連接至網際網路;以及一網路裝置,用以連接至複數個從屬網路裝置,各該些從屬網路裝置係使用不同的一IP位址與該網路裝置溝通,該網路裝置包括: 一網際網路協定安全性模組,用以於網際網路中建立一IPsec通道至該網路閘道,並取得對應至該IPsec通道之一IPsec IP位址;以及一網路位址轉換模組,用以轉換該些從屬網路裝置不同的該些IP位址為相同的該IPsec IP位址,使得該些從屬網路裝置共用該IPsec通道並且使用相同的該IPsec IP位址透過該IPsec通道連接至該網路閘道。 An internet protocol security system includes: a network gateway for connecting to an internal network, the internal network is connected to the Internet through the network gateway; and a network device To connect to a plurality of slave network devices, each of the slave network devices communicates with the network device using a different IP address, the network device comprising: An internet protocol security module for establishing an IPsec channel to the network gateway in the Internet, and obtaining an IPsec IP address corresponding to one of the IPsec channels; and a network address translation mode a group, configured to convert the different IP addresses of the slave network devices to the same IPsec IP address, so that the slave network devices share the IPsec channel and use the same IPsec IP address to pass the IPsec The channel is connected to the network gateway. 如申請專利範圍第7項所述之網際網路協定安全性系統,其中該網路裝置係蜂巢式基地台、路由器或無線網路存取點,各該些從屬網路裝置係蜂巢式基地台、路由器、無線網路存取點、電腦主機或行動裝置,該網路閘道係安全閘道。 The Internet Protocol security system according to claim 7, wherein the network device is a cellular base station, a router or a wireless network access point, and each of the slave network devices is a cellular base station. , router, wireless network access point, computer host or mobile device, the network gateway is a security gateway. 如申請專利範圍第7項所述之網際網路協定安全性系統,其中該IPsec模組包括一加密單元及一解密單元,該加密單元用以加密透過該IPsec模組傳送至該網路閘道的一封包,該解密單元用以解密自該網路閘道接收的一加密後封包。 The Internet Protocol security system of claim 7, wherein the IPsec module includes an encryption unit and a decryption unit, and the encryption unit is configured to encrypt the transmission to the network gateway through the IPsec module. A packet, the decryption unit is configured to decrypt an encrypted packet received from the network gateway. 如申請專利範圍第7項所述之網際網路協定安全性系統,其中該些從屬網路裝置以不同的私有IP位址與該網路裝置溝通,該NAT模組轉換該些從屬網路裝置不同的私有IP位址為相同的該IPsec IP位址,該NAT模組並將該些從屬網路裝置不同的私有 IP位址與該網路裝置的埠之間的對應關係記錄於一NAT查找表中。 The Internet Protocol security system of claim 7, wherein the slave network devices communicate with the network device with different private IP addresses, and the NAT module converts the slave network devices. Different private IP addresses are the same IPsec IP address, the NAT module will be different from the slave network devices. The correspondence between the IP address and the UI of the network device is recorded in a NAT lookup table. 如申請專利範圍第7項所述之網際網路協定安全性系統,其中該些從屬網路裝置以不同的私有IP位址與該網路裝置溝通,該NAT模組轉換相同的該IPsec IP位址為該些從屬網路裝置不同的私有IP位址,該NAT模組並將該些從屬網路裝置不同的私有IP位址與該網路裝置的埠之間的對應關係記錄於一NAT查找表中。 The Internet Protocol security system of claim 7, wherein the slave network devices communicate with the network device with different private IP addresses, and the NAT module converts the same IPsec IP bit. The address is a different private IP address of the slave network devices, and the NAT module records the correspondence between the different private IP addresses of the slave network devices and the network device's UI to a NAT lookup. In the table. 如申請專利範圍第7項所述之網際網路協定安全性系統,其中該網路閘道包括一加密單元及一解密單元,該加密單元用以加密透過該網路閘道傳送至該網路裝置的一封包,該解密單元用以解密自該網路裝置接收的一加密後封包。 The Internet Protocol Security System of claim 7, wherein the network gateway comprises an encryption unit and a decryption unit, and the encryption unit is configured to encrypt and transmit to the network through the network gateway. A packet of the device, the decryption unit is configured to decrypt an encrypted packet received from the network device. 如申請專利範圍第7項所述之網際網路協定安全性系統,其中該IPsec模組係使用IPsec通道模式來於網際網路中建立該IPsec通道至該網路閘道。 The Internet Protocol security system of claim 7, wherein the IPsec module uses an IPsec tunnel mode to establish the IPsec tunnel to the network gateway in the Internet. 一種建立網際網路協定安全性通道之方法,包括:從一網路裝置建立一IPsec通道至一網路閘道,並取得對應該IPsec通道之一IPsec IP位址,該網路裝置用以連接至複數個 從屬網路裝置,各該些從屬網路裝置係使用不同的一IP位址與該網路裝置溝通;以及轉換該些從屬網路裝置不同的該些IP位址為相同的該IPsec IP位址,使得該些從屬網路裝置共用該IPsec通道並且使用相同的該IPsec IP位址透過該IPsec通道連接至該網路閘道。 A method for establishing an internet protocol security channel includes: establishing an IPsec channel from a network device to a network gateway, and obtaining an IPsec IP address corresponding to one of the IPsec channels, the network device is configured to connect To multiple a slave network device, each of the slave network devices communicating with the network device using a different IP address; and converting the different IP addresses of the slave network devices to the same IPsec IP address The slave network devices share the IPsec channel and connect to the network gateway through the IPsec channel using the same IPsec IP address. 如申請專利範圍第14項所述之建立網際網路協定安全性通道之方法,其中於從該網路裝置建立該IPsec通道至該網路閘道的步驟中,係使用IPsec通道模式來從該網路裝置建立該IPsec通道至該網路閘道。 The method for establishing an internet protocol security channel according to claim 14, wherein in the step of establishing the IPsec channel from the network device to the network gateway, the IPsec channel mode is used to The network device establishes the IPsec channel to the network gateway. 如申請專利範圍第14項所述之建立網際網路協定安全性通道之方法,其中於轉換該些從屬網路裝置不同的該些IP位址為相同的該IPsec IP位址的步驟中,係使用NAT方法來轉換該些從屬網路裝置不同的該些IP位址為相同的該IPsec IP位址。 The method for establishing an internet protocol security channel according to claim 14, wherein the step of converting the different IP addresses of the slave network devices to the same IPsec IP address is The NAT method is used to convert the different IP addresses of the slave network devices to the same IPsec IP address. 如申請專利範圍第16項所述之建立網際網路協定安全性通道之方法,其中於該NAT方法中,係轉換該些從屬網路裝置不同的私有IP位址為相同的該IPsec IP位址,並將該些從屬網路裝置不同的私有IP位址與該網路裝置的埠之間的對應關係記錄於一NAT查找表中。 The method for establishing an internet protocol security channel according to claim 16, wherein in the NAT method, different private IP addresses of the slave network devices are converted to the same IPsec IP address. And mapping the correspondence between the different private IP addresses of the slave network devices and the network device to the NAT lookup table.
TW102145927A 2013-05-23 2013-12-12 Network device, ipsec system and method for establishing ipsec tunnel using the same TWI545923B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/224,096 US9602470B2 (en) 2013-05-23 2014-03-25 Network device, IPsec system and method for establishing IPsec tunnel using the same

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US201361826551P 2013-05-23 2013-05-23

Publications (2)

Publication Number Publication Date
TW201445958A TW201445958A (en) 2014-12-01
TWI545923B true TWI545923B (en) 2016-08-11

Family

ID=50169454

Family Applications (1)

Application Number Title Priority Date Filing Date
TW102145927A TWI545923B (en) 2013-05-23 2013-12-12 Network device, ipsec system and method for establishing ipsec tunnel using the same

Country Status (2)

Country Link
CN (1) CN103618750B (en)
TW (1) TWI545923B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105637914A (en) * 2015-04-03 2016-06-01 华为技术有限公司 Communication method, base station, access point and system
TWI648968B (en) * 2017-08-15 2019-01-21 智易科技股份有限公司 Connection device, connection method, and access system for remote network

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7159242B2 (en) * 2002-05-09 2007-01-02 International Business Machines Corporation Secure IPsec tunnels with a background system accessible via a gateway implementing NAT
CN101667918B (en) * 2009-10-15 2011-10-05 中国电信股份有限公司 Method and system for realizing cooperative work
KR101395405B1 (en) * 2009-11-02 2014-05-14 엘지전자 주식회사 Nat traversal for local ip access

Also Published As

Publication number Publication date
CN103618750B (en) 2017-03-01
TW201445958A (en) 2014-12-01
CN103618750A (en) 2014-03-05

Similar Documents

Publication Publication Date Title
JP4707992B2 (en) Encrypted communication system
US9712504B2 (en) Method and apparatus for avoiding double-encryption in site-to-site IPsec VPN connections
EP3096497B1 (en) Method, apparatus, and network system for terminal to traverse private network to communicate with server in ims core network
US9602470B2 (en) Network device, IPsec system and method for establishing IPsec tunnel using the same
US10608986B2 (en) Dynamic VPN address allocation
CN108769292B (en) Message data processing method and device
US9515824B2 (en) Provisioning devices for secure wireless local area networks
US20180288013A1 (en) End-to-end secured communication for mobile sensor in an iot network
CN105376239A (en) Method and device for supporting mobile terminal to perform IPSec VPN message transmission
TW201513620A (en) Gateway, client device and methods for facilitating communication between a client device and an application server
KR20180130203A (en) APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME
CN105516062B (en) Method for realizing L2 TP over IPsec access
WO2014048373A1 (en) Method and device for wireless information transmission
US20170207921A1 (en) Access to a node
TWI493946B (en) Virtual private network communication system, routing device and method thereof
TWI545923B (en) Network device, ipsec system and method for establishing ipsec tunnel using the same
WO2014172836A1 (en) Method and apparatus for accessing network, and network system
CN103188356B (en) A kind of outer net maps IPsec message and realizes the NAT method passed through
JP6990647B2 (en) Systems and methods that provide a ReNAT communication environment
US20210067956A1 (en) Methods and apparatus for end-to-end secure communications
US8897441B2 (en) Packet transmitting and receiving apparatus and packet transmitting and receiving method
KR101329968B1 (en) Method and system for determining security policy among ipsec vpn devices
JP2007228383A (en) Radio communication system supporting public wireless internet access service business
KR20220148880A (en) Inter-node privacy communication method and network node
CN109361684B (en) Dynamic encryption method and system for VXLAN tunnel